xref: /onnv-gate/usr/src/lib/libnisdb/ldap_ruleval.c (revision 11262)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */


#include <lber.h>
#include <ldap.h>
#include <strings.h>

#include "nisdb_mt.h"

#include "ldap_util.h"
#include "ldap_val.h"
#include "ldap_attr.h"
#include "ldap_ldap.h"
#include "ldap_ruleval.h"


/*
 * Free an array of 'count' rule-value elements.
 */
void
freeRuleValue(__nis_rule_value_t *rv, int count) {
	int	n, i, j;

	if (rv == 0)
		return;

	for (n = 0; n < count; n++) {

		if (rv[n].colName != 0) {
			for (i = 0; i < rv[n].numColumns; i++) {
				sfree(rv[n].colName[i]);
			}
			free(rv[n].colName);
		}
		if (rv[n].colVal != 0) {
			for (i = 0; i < rv[n].numColumns; i++) {
				for (j = 0; j < rv[n].colVal[i].numVals; j++) {
					sfree(rv[n].colVal[i].val[j].value);
				}
				if (rv[n].colVal[i].numVals > 0)
					sfree(rv[n].colVal[i].val);
			}
			free(rv[n].colVal);
		}

		if (rv[n].attrName != 0) {
			for (i = 0; i < rv[n].numAttrs; i++) {
				sfree(rv[n].attrName[i]);
			}
			free(rv[n].attrName);
		}
		if (rv[n].attrVal != 0) {
			for (i = 0; i < rv[n].numAttrs; i++) {
				for (j = 0; j < rv[n].attrVal[i].numVals;
						j++) {
					sfree(rv[n].attrVal[i].val[j].value);
				}
				if (rv[n].attrVal[i].numVals > 0)
					sfree(rv[n].attrVal[i].val);
			}
			free(rv[n].attrVal);
		}

	}
	sfree(rv);
}

/*
 * Return an array of 'count' __nis_rule_value_t elements, initialized
 * to be copies of 'rvIn' if supplied; empty otherwise.
 */
__nis_rule_value_t *
initRuleValue(int count, __nis_rule_value_t *rvIn) {
	return (growRuleValue(0, count, 0, rvIn));
}

static const __nis_rule_value_t	rvZero = {0};

/*
 * Grow 'old' from 'oldCount' to 'newCount' elements, initialize the
 * new portion to 'rvIn' (empty if not supplied), and return a pointer
 * to the result. Following a call to this function, the caller must
 * refer only to the returned array, not to 'old'.
 */
__nis_rule_value_t *
growRuleValue(int oldCount, int newCount, __nis_rule_value_t *old,
		__nis_rule_value_t *rvIn) {
	__nis_rule_value_t	*rv;
	int			i, j;
	char			*myself = "growRuleValue";

	if (newCount <= 0 || newCount <= oldCount)
		return (old);

	if (oldCount <= 0) {
		oldCount = 0;
		old = 0;
	}

	if (rvIn == 0)
		rvIn = (__nis_rule_value_t *)&rvZero;

	rv = realloc(old, newCount * sizeof (rv[0]));
	if (rv == 0) {
		logmsg(MSG_NOMEM, LOG_ERR,
			"%s: realloc(%d ((%d+%d)*%d)) => 0",
			myself, (oldCount+newCount) * sizeof (rv[0]),
			oldCount, newCount, sizeof (rv[0]));
		freeRuleValue(old, oldCount);
		return (0);
	}

	(void) memset(&rv[oldCount], 0, (newCount-oldCount)*sizeof (rv[0]));

	for (i = oldCount; i < newCount; i++) {
		rv[i].numColumns = rvIn->numColumns;
		if (rv[i].numColumns > 0) {
			rv[i].colName = cloneName(rvIn->colName,
					rv[i].numColumns);
			rv[i].colVal = cloneValue(rvIn->colVal,
					rv[i].numColumns);
		}
		if (rv[i].numColumns > 0 &&
				(rv[i].colName == 0 || rv[i].colVal == 0)) {
			freeRuleValue(rv, i);
			return (0);
		}
		rv[i].numAttrs = rvIn->numAttrs;
		rv[i].attrName = cloneName(rvIn->attrName, rv[i].numAttrs);
		rv[i].attrVal = cloneValue(rvIn->attrVal, rv[i].numAttrs);
		if (rv[i].numAttrs > 0 &&
			(rv[i].attrName == 0 || rv[i].attrVal == 0)) {
			freeRuleValue(rv, i);
			return (0);
		}
	}

	return (rv);
}

/*
 * Merge the source rule-value 's' into the target rule-value 't'.
 * If successful, unless 's' is a sub-set of 't', 't' will be changed
 * on exit, and will contain the values from 's' as well.
 */
int
mergeRuleValue(__nis_rule_value_t *t, __nis_rule_value_t *s) {
	int	i, j;

	if (s == 0)
		return (0);
	else if (t == 0)
		return (-1);

	for (i = 0; i < s->numColumns; i++) {
		for (j = 0; j < s->colVal[i].numVals; j++) {
			if (addCol2RuleValue(s->colVal[i].type, s->colName[i],
					s->colVal[i].val[j].value,
					s->colVal[i].val[j].length,
					t))
				return (-1);
		}
	}

	for (i = 0; i < s->numAttrs; i++) {
		for (j = 0; j < s->attrVal[i].numVals; j++) {
			if (addAttr2RuleValue(s->attrVal[i].type,
					s->attrName[i],
					s->attrVal[i].val[j].value,
					s->attrVal[i].val[j].length,
					t))
				return (-1);
		}
	}

	return (0);
}

static int
addVal2RuleValue(char *msg, int caseSens, int snipNul, __nis_value_type_t type,
		char *name, void *value, int valueLen,
		int *numP, char ***inNameP, __nis_value_t **inValP) {
	int			i, j, copyLen = valueLen;
	__nis_single_value_t	*v;
	char			**inName = *inNameP;
	__nis_value_t		*inVal = *inValP;
	int			num = *numP;
	int			(*comp)(const char *s1, const char *s2);
	char			*myself = "addVal2RuleValue";

	/* Internal function, so assume arguments OK */

	if (msg == 0)
		msg = myself;

	/* Should we match the 'inName' value case sensitive or not ? */
	if (caseSens)
		comp = strcmp;
	else
		comp = strcasecmp;

	/*
	 * String-valued NIS+ entries count the concluding NUL in the
	 * length, while LDAP entries don't. In order to support this,
	 * we implement the following for vt_string value types:
	 *
	 * If the last byte of the value isn't a NUL, add one to the
	 * allocated length, so that there always is a NUL after the
	 * value, making it safe to pass to strcmp() etc.
	 *
	 * If 'snipNul' is set (presumably meaning we're inserting a
	 * value derived from a NIS+ entry), and the last byte of the
	 * value already is a NUL, decrement the length to be copied by
	 * one. This (a) doesn't count the NUL in the value length, but
	 * (b) still leaves a NUL following the value.
	 *
	 * In N2L, for all cases we set 'copyLen' to the number of non-0
	 * characters in 'value'.
	 */
	if (type == vt_string && valueLen > 0) {
		char	*charval = value;

		if (charval[valueLen-1] != '\0')
			valueLen += 1;
		else if (yp2ldap || snipNul)
			copyLen -= 1;
	} else if (valueLen == 0) {
		/*
		 * If the 'value' pointer is non-NULL, we create a zero-
		 * length value with one byte allocated. This takes care
		 * of empty strings.
		 */
		valueLen += 1;
	}

	/* If we already have values for this attribute, add another one */
	for (i = 0; i < num; i++) {
		if ((*comp)(inName[i], name) == 0) {

			/*
			 * Our caller often doesn't know the type of the
			 * value; this happens because the type (vt_string
			 * or vt_ber) is determined by the format in the
			 * rule sets, and we may be invoked as a preparation
			 * for evaluating the rules. Hence, we only use the
			 * supplied 'type' if we need to create a value.
			 * Otherwise, we accept mixed types.
			 *
			 * Strings are OK in any case, since we always make
			 * sure to have a zero byte at the end of any value,
			 * whatever the type.
			 */

			if (inVal[i].numVals < 0) {
				/*
				 * Used to indicate deletion of attribute,
				 * so we honor that and don't add a value.
				 */
				return (0);
			}

			/*
			 * If 'value' is NULL, we should delete, so
			 * remove any existing values, and set the
			 * 'numVals' field to -1.
			 */
			if (value == 0) {
				for (j = 0; j < inVal[i].numVals; j++) {
					sfree(inVal[i].val[j].value);
				}
				sfree(inVal[i].val);
				inVal[i].val = 0;
				inVal[i].numVals = -1;
				return (0);
			}

			/* Is the value a duplicate ? */
			for (j = 0; j < inVal[i].numVals; j++) {
				if (copyLen == inVal[i].val[j].length &&
					memcmp(value, inVal[i].val[j].value,
						copyLen) == 0) {
					break;
				}
			}
			if (j < inVal[i].numVals)
				return (0);

			/* Not a duplicate, so add the name/value pair */
			v = realloc(inVal[i].val,
					(inVal[i].numVals+1) *
					sizeof (inVal[i].val[0]));
			if (v == 0)
				return (-1);
			inVal[i].val = v;
			v[inVal[i].numVals].length = copyLen;
			v[inVal[i].numVals].value = am(msg, valueLen);
			if (v[inVal[i].numVals].value == 0 &&
					value != 0) {
				sfree(v);
				return (-1);
			}
			memcpy(v[inVal[i].numVals].value, value, copyLen);
			inVal[i].numVals++;

			return (0);
		}
	}

	/* No previous value for this attribute */

	/*
	 * value == 0 means deletion, in which case we create a
	 * __nis_value_t with the numVals field set to -1.
	 */
	if (value != 0) {
		if ((v = am(msg, sizeof (*v))) == 0)
			return (-1);
		v->length = copyLen;
		v->value = am(msg, valueLen);
		if (v->value == 0 && value != 0) {
			sfree(v);
			return (-1);
		}
		memcpy(v->value, value, copyLen);
	}

	inVal = realloc(inVal, (num+1)*sizeof (inVal[0]));
	if (inVal == 0) {
		if (value != 0) {
			sfree(v->value);
			sfree(v);
		}
		return (-1);
	}
	*inValP = inVal;

	inName = realloc(inName,
		(num+1)*sizeof (inName[0]));
	if (inName == 0 || (inName[num] =
			sdup(msg, T, name)) == 0) {
		sfree(v->value);
		sfree(v);
		return (-1);
	}
	*inNameP = inName;

	inVal[num].type = type;
	inVal[num].repeat = 0;
	if (value != 0) {
		inVal[num].numVals = 1;
		inVal[num].val = v;
	} else {
		inVal[num].numVals = -1;
		inVal[num].val = 0;
	}

	*numP += 1;

	return (0);
}

int
addAttr2RuleValue(__nis_value_type_t type, char *name, void *value,
		int valueLen, __nis_rule_value_t *rv) {
	char			*myself = "addAttr2RuleValue";

	if (name == 0 || rv == 0)
		return (-1);

	return (addVal2RuleValue(myself, 0, 0, type, name, value, valueLen,
				&rv->numAttrs, &rv->attrName, &rv->attrVal));
}

int
addSAttr2RuleValue(char *name, char *value, __nis_rule_value_t *rv) {
	return (addAttr2RuleValue(vt_string, name, value, slen(value), rv));
}

int
addCol2RuleValue(__nis_value_type_t type, char *name, void *value,
		int valueLen, __nis_rule_value_t *rv) {
	char *myself = "addCol2RuleValue";

	if (name == 0 || rv == 0)
		return (-1);

	return (addVal2RuleValue(myself, 1, 1, type, name, value, valueLen,
				&rv->numColumns, &rv->colName, &rv->colVal));
}

int
addSCol2RuleValue(char *name, char *value, __nis_rule_value_t *rv) {
	return (addCol2RuleValue(vt_string, name, value, slen(value), rv));
}

/*
 * Given a table mapping, a NIS+ DB query, and (optionally) an existing
 * and compatible __nis_rule_value_t, return a new __nis_rule_value_t
 * with the values from the query added.
 */
__nis_rule_value_t *
buildNisPlusRuleValue(__nis_table_mapping_t *t, db_query *q,
			__nis_rule_value_t *rv) {
	int			i;
	__nis_single_value_t	*sv;
	char			*myself = "buildNisPlusRuleValue";

	if (t == 0 || q == 0)
		return (0);

	rv = initRuleValue(1, rv);
	if (rv == 0)
		return (0);

	for (i = 0; i < q->components.components_len; i++) {
		int	ic;
		int	iv, v, dup;
		int	len;

		/* Ignore out-of-range column index */
		if (q->components.components_val[i].which_index >=
				t->numColumns)
			continue;

		/*
		 * Add the query value. A NULL value indicates deletion,
		 * but addCol2RuleValue() takes care of that for us.
		 */
		if (addCol2RuleValue(vt_string,
				t->column[q->components.components_val[i].
						which_index],
				q->components.components_val[i].index_value->
					itemvalue.itemvalue_val,
				q->components.components_val[i].index_value->
					itemvalue.itemvalue_len, rv) != 0) {
			freeRuleValue(rv, 1);
			rv = 0;
			break;
		}
	}

	return (rv);
}


/*
 * Given a LHS rule 'rl', return an array containing the item names,
 * and the number of elements in the array in '*numItems'.
 *
 * If there are 'me_match' __nis_mapping_element_t's, we use the
 * supplied '*rval' (if any) to derive values for the items in
 * the 'me_match', and add the values thus derived to '*rval' (in
 * which case the '*rval' pointer will change; the old '*rval'
 * is deleted).
 */
__nis_mapping_item_t *
buildLvalue(__nis_mapping_rlhs_t *rl, __nis_value_t **rval, int *numItems) {
	__nis_value_t		*val, *r;
	__nis_mapping_item_t	*item = 0;
	int			i, n, ni = 0, nv = 0;
	int			repeat = 0;

	if (rl == 0)
		return (0);

	if (rval != 0) {
		r = *rval;
		repeat = r->repeat;
	} else
		r = 0;

	/* If there is more than one element, we concatenate the items */
	for (i = 0; i < rl->numElements; i++) {
		__nis_mapping_element_t	*e = &rl->element[i];
		__nis_mapping_item_t	*olditem, *tmpitem = 0;
		__nis_value_t		**tmp;

		switch (e->type) {
		case me_item:
			tmpitem = cloneItem(&e->element.item);
			break;
		case me_match:
			/*
			 * Obtain values for the items in the 'me_match'
			 * element.
			 */
			tmp = matchMappingItem(e->element.match.fmt, r, &nv,
				0, 0);
			if (tmp != 0) {
				freeValue(r, 1);
				val = 0;
				for (n = 0; n < nv; n++) {
					r = concatenateValues(val, tmp[n]);
					freeValue(val, 1);
					freeValue(tmp[n], 1);
					val = r;
					if (val == 0) {
						for (n++; n < nv; n++) {
							freeValue(tmp[n], 1);
						}
						break;
					}
				}
				free(tmp);
				if (rval != 0) {
					if (repeat && val != 0)
						val->repeat = repeat;
					*rval = val;
				}
				for (n = 0; n < e->element.match.numItems;
						n++) {
					olditem = item;
					item = concatenateMappingItem(item, ni,
						&e->element.match.item[n]);
					freeMappingItem(olditem, ni);
					if (item == 0) {
						ni = 0;
						break;
					}
					ni++;
				}
			}
			break;
		case me_print:
		case me_split:
		case me_extract:
		default:
			/* These shouldn't show up on the LHS; ignore */
			break;
		}

		if (tmpitem != 0) {
			olditem = item;
			item = concatenateMappingItem(item, ni, tmpitem);
			freeMappingItem(olditem, ni);
			freeMappingItem(tmpitem, 1);
			ni++;
			if (item == 0) {
				ni = 0;
				break;
			}
		}
	}

	if (numItems != 0)
		*numItems = ni;

	return (item);
}

__nis_value_t *
buildRvalue(__nis_mapping_rlhs_t *rl, __nis_mapping_item_type_t native,
		__nis_rule_value_t *rv, int *stat) {
	__nis_value_t	*val, *vold = 0, *vnew;
	int		i;
	char		*myself = "buildRvalue";

	if (rl == 0 || rl->numElements <= 0) {
		/*
		 * No RHS indicates deletion, as does a __nis_value_t
		 * with numVals == -1, so we return such a creature.
		 */
		val = am(myself, sizeof (*val));
		if (val != 0) {
			val->type = vt_string;
			val->numVals = -1;
		}
		return (val);
	}

	/* If there is more than one element, we concatenate the values */
	for (i = 0; i < rl->numElements; i++) {
		vnew = getMappingElement(&rl->element[i], native, rv, stat);
		val = concatenateValues(vold, vnew);
		freeValue(vnew, 1);
		freeValue(vold, 1);
		vold = val;
	}
	return (val);
}

/*
 * Derive values for the LDAP attributes specified by the rule 'r',
 * and add them to the rule-value 'rv'.
 *
 * If 'doAssign' is set, out-of-context assignments are performed,
 * otherwise not.
 */
__nis_rule_value_t *
addLdapRuleValue(__nis_table_mapping_t *t,
			__nis_mapping_rule_t *r,
			__nis_mapping_item_type_t lnative,
			__nis_mapping_item_type_t rnative,
			__nis_rule_value_t *rv,
			int doAssign, int *stat) {
	int			i, j;
	char			**new;
	__nis_value_t		*rval, *lval;
	__nis_buffer_t		b = {0, 0};
	__nis_mapping_item_t	*litem;
	int			numItems;
	char			**dn = 0;
	int			numDN = 0;
	char			*myself = "addLdapRuleValue";


	/* Do we have the required values ? */
	if (rv == 0)
		return (0);

	/*
	 * Establish appropriate search base. For rnative == mit_nisplus,
	 * we're deriving LDAP attribute values from NIS+ columns; in other
	 * words, we're writing to LDAP, and should use the write.base value.
	 */
	__nisdb_get_tsd()->searchBase = (rnative == mit_nisplus) ?
		t->objectDN->write.base : t->objectDN->read.base;

	/* Set escapeFlag if LHS is "dn" to escape special chars */
	if (yp2ldap && r->lhs.numElements == 1 &&
		r->lhs.element->type == me_item &&
		r->lhs.element->element.item.type == mit_ldap &&
		strcasecmp(r->lhs.element->element.item.name, "dn") == 0) {
			__nisdb_get_tsd()->escapeFlag = '1';
	}

	/* Build the RHS value */
	rval = buildRvalue(&r->rhs, rnative, rv, stat);

	/* Reset escapeFlag */
	__nisdb_get_tsd()->escapeFlag = '\0';

	if (rval == 0)
		return (rv);

	/*
	 * Special case: If we got no value for the RHS (presumably because
	 * we're missing one or more item values), we don't produce an lval.
	 * Note that this isn't the same thing as an empty value, which we
	 * faithfully try to transmit to LDAP.
	 */
	if (rval->numVals == 1 && rval->val[0].value == 0) {
		freeValue(rval, 1);
		return (rv);
	}

	/* Obtain the LHS item names */
	litem = buildLvalue(&r->lhs, &rval, &numItems);
	if (litem == 0) {
		freeValue(rval, 1);
		return (rv);
	}

	/* Get string representations of the LHS item names */
	lval = 0;
	for (i = 0; i < numItems; i++) {
		__nis_value_t	*tmpval, *old;

		tmpval = getMappingItem(&litem[i], lnative, 0, 0, NULL);

		/*
		 * If the LHS item is out-of-context, we do the
		 * assignment right here.
		 */
		if (doAssign && litem[i].type == mit_ldap &&
				litem[i].searchSpec.triple.scope !=
					LDAP_SCOPE_UNKNOWN &&
				slen(litem[i].searchSpec.triple.base) > 0 &&
				(slen(litem[i].searchSpec.triple.attrs) > 0 ||
				litem[i].searchSpec.triple.element != 0)) {
			int	stat;

			if (dn == 0)
				dn = findDNs(myself, rv, 1,
					t->objectDN->write.base,
					&numDN);

			stat = storeLDAP(&litem[i], i, numItems, rval,
				t->objectDN, dn, numDN);
			if (stat != LDAP_SUCCESS) {
				char	*iname = "<unknown>";

				if (tmpval != 0 &&
						tmpval->numVals == 1)
					iname = tmpval->val[0].value;
				logmsg(MSG_NOTIMECHECK, LOG_ERR,
					"%s: LDAP store \"%s\": %s",
					myself, iname,
					ldap_err2string(stat));
			}

			freeValue(tmpval, 1);
			continue;
		}

		old = lval;
		lval = concatenateValues(old, tmpval);
		freeValue(tmpval, 1);
		freeValue(old, 1);
	}

	/* Don't need the LHS items themselves anymore */
	freeMappingItem(litem, numItems);

	/*
	 * If we don't have an 'lval' (probably because all litem[i]:s
	 * were out-of-context assignments), we're done.
	 */
	if (lval == 0 || lval->numVals <= 0) {
		freeValue(lval, 1);
		freeValue(rval, 1);
		return (rv);
	}

	for (i = 0, j = 0; i < lval->numVals; i++) {
		/* Special case: rval->numVals < 0 means deletion */
		if (rval->numVals < 0) {
			(void) addAttr2RuleValue(rval->type,
				lval->val[i].value, 0, 0, rv);
			continue;
		}
		/* If we're out of values, repeat the last one */
		if (j >= rval->numVals)
			j = (rval->numVals > 0) ? rval->numVals-1 : 0;
		for (0; j < rval->numVals; j++) {
			/*
			 * If this is the 'dn', and the value ends in a
			 * comma, append the appropriate search base.
			 */
			if (strcasecmp("dn", lval->val[i].value) == 0 &&
					lastChar(&rval->val[j]) == ',' &&
					t->objectDN->write.scope !=
						LDAP_SCOPE_UNKNOWN) {
				void	*nval;
				int	nlen = -1;

				nval = appendString2SingleVal(
					t->objectDN->write.base, &rval->val[j],
					&nlen);
				if (nval != 0 && nlen >= 0) {
					sfree(rval->val[j].value);
					rval->val[j].value = nval;
					rval->val[j].length = nlen;
				}
			}
			(void) addAttr2RuleValue(rval->type,
				lval->val[i].value, rval->val[j].value,
				rval->val[j].length, rv);
			/*
			 * If the lval is multi-valued, go on to the
			 * other values; otherwise, quit (but increment
			 * the 'rval' value index).
			 */
			if (!lval->repeat) {
				j++;
				break;
			}
		}
	}

	/* Clean up */
	freeValue(lval, 1);
	freeValue(rval, 1);

	return (rv);
}

/*
 * Remove the indicated attribute, and any values for it, from the
 * rule-value.
 */
void
delAttrFromRuleValue(__nis_rule_value_t *rv, char *attrName) {
	int	i;

	if (rv == 0 || attrName == 0)
		return;

	for (i = 0; i < rv->numAttrs; i++) {
		if (strcasecmp(attrName, rv->attrName[i]) == 0) {
			int	j;

			for (j = 0; j < rv->attrVal[i].numVals; j++)
				sfree(rv->attrVal[i].val[j].value);
			if (rv->attrVal[i].numVals > 0)
				sfree(rv->attrVal[i].val);

			sfree(rv->attrName[i]);

			/* Move up the rest of the attribute names/values */
			for (j = i+1; j < rv->numAttrs; j++) {
				rv->attrName[j-1] = rv->attrName[j];
				rv->attrVal[j-1] = rv->attrVal[j];
			}

			rv->numAttrs -= 1;

			break;
		}
	}
}

/*
 * Remove the indicated column, and any values for it, from the
 * rule-value.
 */
void
delColFromRuleValue(__nis_rule_value_t *rv, char *colName) {
	int	i;

	if (rv == 0 || colName == 0)
		return;

	for (i = 0; i < rv->numColumns; i++) {
		if (strcmp(colName, rv->colName[i]) == 0) {
			int	j;

			for (j = 0; j < rv->colVal[i].numVals; j++)
				sfree(rv->colVal[i].val[j].value);
			if (rv->colVal[i].numVals > 0)
				sfree(rv->colVal[i].val);

			sfree(rv->colName[i]);

			/* Move up the rest of the column names/values */
			for (j = i+1; j < rv->numColumns; j++) {
				rv->colName[j-1] = rv->colName[j];
				rv->colVal[j-1] = rv->colVal[j];
			}

			rv->numColumns -= 1;

			break;
		}
	}
}

/*
 * Add the write-mode object classes specified by 'objClassAttrs' to the
 * rule-value 'rv'.
 * If there's an error, 'rv' is deleted, and NULL returned.
 */
__nis_rule_value_t *
addObjectClasses(__nis_rule_value_t *rv, char *objClassAttrs) {
	char	*filter = 0, **fc = 0;
	int	i, nfc = 0;

	/*
	 * Expect to only use this for existing rule-values, so rv == 0 is
	 * an error.
	 */
	if (rv == 0)
		return (0);

	/*
	 * If 'objClassAttrs' is NULL, we trivially have nothing to do.
	 * Assume the caller knows what it's doing, and return success.
	 */
	if (objClassAttrs == 0)
		return (rv);

	/*
	 * Make an AND-filter of the object classes, and split into
	 * components. (Yes, this is a bit round-about, but leverages
	 * existing functions.)
	 */
	filter = makeFilter(objClassAttrs);
	if (filter == 0) {
		freeRuleValue(rv, 1);
		return (0);
	}

	fc = makeFilterComp(filter, &nfc);
	if (fc == 0 || nfc <= 0) {
		free(filter);
		freeRuleValue(rv, 1);
		return (0);
	}

	/* Add the objectClass attributes to the rule-value */
	for (i = 0; i < nfc; i++) {
		char	*name, *value;

		name = fc[i];
		/* Skip if not of the "name=value" form */
		if ((value = strchr(name, '=')) == 0)
			continue;

		*value = '\0';
		value++;

		/* Skip if the attribute name isn't "objectClass" */
		if (strcasecmp("objectClass", name) != 0)
			continue;

		if (addSAttr2RuleValue(name, value, rv) != 0) {
			free(filter);
			freeFilterComp(fc, nfc);
			freeRuleValue(rv, 1);
			return (0);
		}
	}

	free(filter);
	freeFilterComp(fc, nfc);

	return (rv);
}


static char *
valString(__nis_value_t *val) {
	int	i;

	if (val == 0 || val->type != vt_string)
		return (0);

	for (i = 0; i < val->numVals; i++) {
		/* Look for a non-NULL, non-zero length value */
		if (val->val[i].value != 0 && val->val[i].length > 0) {
			char	*v = val->val[i].value;

			/*
			 * Check that there's a NUL at the end. True,
			 * if there isn't, we may be looking beyond
			 * allocated memory. However, we would have done
			 * so in any case when the supposed string was
			 * traversed (printed, etc.), very possibly by
			 * a lot more than one byte. So, it's better to
			 * take a small risk here than a large one later.
			 */
			if (v[val->val[i].length-1] == '\0' ||
					v[val->val[i].length] == '\0')
				return (v);
		}
	}

	return (0);
}

char *
findVal(char *name, __nis_rule_value_t *rv, __nis_mapping_item_type_t type) {
	int	i;

	if (type == mit_nisplus) {
		for (i = 0; i < rv->numColumns; i++) {
			if (rv->colName[i] == 0)
				continue;
			if (strcmp(name, rv->colName[i]) == 0) {
				return (valString(&rv->colVal[i]));
			}
		}
	} else if (type == mit_ldap) {
		for (i = 0; i < rv->numAttrs; i++) {
			if (rv->attrName[i] == 0)
				continue;
			if (strcasecmp(name, rv->attrName[i]) == 0) {
				return (valString(&rv->attrVal[i]));
			}
		}
	}

	return (0);
}

static char	*norv = "<NIL>";
static char	*unknown = "<unknown>";

/*
 * Attempt to derive a string identifying the rule-value 'rv'. The
 * returned string is a pointer, either into 'rv', or to static
 * storage, and must not be freed.
 */
char *
rvId(__nis_rule_value_t *rv, __nis_mapping_item_type_t type) {
	char	*v;

	if (rv == 0)
		return (norv);

	if (rv->numColumns > 0 && type == mit_nisplus) {
		/*
		 * Look for a column called "cname" or "name".
		 * If that fails, try "key" or "alias".
		 */
		if ((v = findVal("cname", rv, type)) != 0)
			return (v);
		else if ((v = findVal("name", rv, type)) != 0)
			return (v);
		else if ((v = findVal("key", rv, type)) != 0)
			return (v);
		else if ((v = findVal("alias", rv, type)) != 0)
			return (v);
	} else if (rv->numAttrs > 0 && type == mit_ldap) {
		/*
		 * Look for "dn", or "cn".
		 */
		if ((v = findVal("dn", rv, type)) != 0)
			return (v);
		else if ((v = findVal("cn", rv, type)) != 0)
			return (v);
	}

	return (unknown);
}

/*
 * Merge the rule-values with the same DN into one. Each rule-value
 * in the returned array will have unique 'dn'. On entry, *numVals
 * contains the number of rule-values in 'rv'. On exit, it contains
 * the number of rule-values in the returned array or -1 on error.
 */
__nis_rule_value_t *
mergeRuleValueWithSameDN(__nis_rule_value_t *rv, int *numVals) {
	__nis_rule_value_t	*rvq = 0;
	char			*dn, *odn;
	int			count = 0;
	int			i, j;

	if (numVals == 0)
		return (0);

	for (i = 0; i < *numVals; i++) {
		if ((dn = findVal("dn", &rv[i], mit_ldap)) != 0) {
			for (j = 0; j < count; j++) {
				if ((odn = findVal("dn", &rvq[j],
						mit_ldap)) != 0) {
					/* case sensitive compare */
					if (strcmp(dn, odn) != 0)
						continue;
					if (mergeRuleValue(&rvq[j],
							&rv[i]) == -1) {
						freeRuleValue(rvq, count);
						*numVals = -1;
						return (0);
					}
					break;
				} else {
					freeRuleValue(rvq, count);
					*numVals = -1;
					return (0);
				}
			}
			/* if no match, then add it to the rulevalue array */
			if (j == count) {
				rvq = growRuleValue(count, count + 1, rvq,
									&rv[i]);
				if (rvq == 0) {
					*numVals = -1;
					return (0);
				}
				count++;
			}
		}
	}

	*numVals = count;
	return (rvq);
}